discordrat | 8babcf505f2bf387850280c73ba6e2b3cd950b0383047841ac109f479a288c6e

Resubmissions

09-08-2024 07:49

240809-jn5g1ssapc 10

09-08-2024 07:49

240809-jnprkasanc 10

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ScaryKart.exe
Size

551KB
MD5

eb08107e08a2536292902db8cc97d722
SHA1

ec62cc7d5a90db160195f473495ec9e5c102d60b
SHA256

8babcf505f2bf387850280c73ba6e2b3cd950b0383047841ac109f479a288c6e
SHA512

89999cfa54fa033b6e03b7b407ee296cb7b7fd9e834e55210c83085b934e7b07f063bfb359fa7e84563e7473fbd4dca4e1c09f44163aca0e9dad337a2fb66f12
SSDEEP

12288:5hqxSLo5C1Ps4XhitX+t4983sMbK93vC2Td6FtJ/TL:5HLmCiIhiX483vC+mtJv

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MzI3OTgwMTIzODg4MDI4OQ.GRYisY.MCX3PxYFEDjNe8KMtaXisef9H7jEZywLNsHvs0
server_id
1253280184275173377

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2564	Test.exe

Loads dropped DLL 6 IoCs

pid	Process
3008	ScaryKart.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScaryKart.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2564	3008	ScaryKart.exe	30
PID 3008 wrote to memory of 2564	3008	ScaryKart.exe	30
PID 3008 wrote to memory of 2564	3008	ScaryKart.exe	30
PID 3008 wrote to memory of 2564	3008	ScaryKart.exe	30
PID 2564 wrote to memory of 2684	2564	Test.exe	31
PID 2564 wrote to memory of 2684	2564	Test.exe	31
PID 2564 wrote to memory of 2684	2564	Test.exe	31

C:\Users\Admin\AppData\Local\Temp\ScaryKart.exe
"C:\Users\Admin\AppData\Local\Temp\ScaryKart.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Test.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2564 -s 596
    3⤵
    - Loads dropped DLL
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Test.exe

Filesize
78KB

MD5
f90a42773820e56ce58d67e7f4509954

SHA1
c0db25be44be20089e438a81d12812af5107bf31

SHA256
08a2eba2ab9395856f1d0dfd30e21c0a86e3acac63eb72d685ff4af9230c0377

SHA512
11b4b20c3f4503e6b05a6a8c53619574e244241f8544036f8a00feadcf83daac478d4f7e8cc736af4603d7957f007713167f7ea6118dbddd33608830ab6924a6

Download Submit
memory/2564-10-0x000007FEF61A3000-0x000007FEF61A4000-memory.dmp

Filesize
4KB

Download
memory/2564-11-0x000000013FD00000-0x000000013FD18000-memory.dmp

Filesize
96KB

Download
memory/2564-16-0x000007FEF61A0000-0x000007FEF6B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-18-0x000007FEF61A3000-0x000007FEF61A4000-memory.dmp

Filesize
4KB

Download
memory/2564-19-0x000007FEF61A0000-0x000007FEF6B8C000-memory.dmp

Filesize
9.9MB

Download